Nousot logo

Prerequisites

In order to have the Nousot Cloud Engineering Platform deploy resources into your cloud environment, initial setup is required.

Azure

Azure Account Setup

The compute and storage resources for the Nousot Ecosystem will be deployed into your private Azure account. Azure resources and services are provisioned inside subscriptions, which will need to be created within your organization (if they aren't already). We recommend utilizing three subscriptions for resources related to the Nousot Ecosystem, one of which may already exist. You can follow Microsoft's own documentation on how to create subscriptions.

Hub Networking

A hub-and-spoke networking model is our recommendation for configuring a flexible and secure private cloud network (which we'll discuss in detail later in the document). As part of this model, we recommend putting the resources related to the hub network in their own subscription. If you have a naming convention for Azure already we recommend being consistent, but if not you can name it thusly:

<your organization>-network-prod

Note: If you already have a hub network set up in a subscription, no need to create another one - we'll use what you have. Development Environment We typically start with two environments - one for development and one for production - and ask for a subscription for each. You can follow a similar naming convention as the hub network subscription:

<your organization>-analytics-dev

Production Environment The production subscription can be named similarly:

<your organization>-analytics-prod

Azure Service Principal Creation

A service principal will be used to programmatically deploy resources into the environment. We recommend a single service principal with access to both the development and production subscriptions. You can follow Microsoft's documentation for how to create a service principal, and name it “nousot-ecosystem”. Leave the supported account types as “Accounts in this organizational directory only” and the redirect URI section as the default. We'll need a client secret to log in with the service principal, so please follow option 2 from the documentation to create one for the same service principal. Document the tenant ID, application ID, and client secret of service principal, and securely share them with your Nousot implementation team according to your organization's best practices.

Azure Account Access

Once you have subscriptions and service principals created, the appropriate access can be granted. Accounts will need to be created in your Active Directory instance for your Nousot implementation team (this information should have been shared with you) and synced up to Azure AD so that we can work in your Azure account. Those accounts and the service principal will need to be assigned the “Owner” role on all subscriptions mentioned in the “Azure Account Setup” section. Roles can be assigned through the Azure portal. Later in the project we'll help you determine a lower level of access for day-to-day operations. The service principal will also need the “Cloud application administrator” role assigned in Azure AD. Service principals are treated just like users, so this role can be granted according to the same process.

DNS Setup

We utilize your domain to create DNS records that provide friendly URLs for your users. This requires some setup before we can get started.

Subdomain Delegation

Any subdomains used for the Nousot Ecosystem will need to be delegated to Azure DNS. We recommend “analyticsdev.<your top level domain>.<your domain extension>” for development and “analytics.<your top level domain>.<your domain extension>” for production. Microsoft provides documentation for how to create an Azure DNS zone and perform this delegation, which you can follow for the necessary subdomains. The process will differ slightly depending on your domain registrar, so don't hesitate to reach out to your Nousot implementation team for additional support. Azure DNS zones should be created in the subscription corresponding to their environment, so “analyticsdev” would need to be created in the development subscription and “analytics” would need to be created in the production subscription.

Certificate Creation

Certificates for these subdomains need to be created so that the tools in the Nousot Ecosystem are protected by SSL. These certificates can be generated by your service of choice. We prefer wildcard certificates if possible (i.e. “*.analytics.<your top level domain>.<your domain extension>”) so that we can continue to add tools to your environment without the need to modify the certificates. Once created, certificates will be securely stored in Azure Key Vault for use by the Ecosystem. Create a Key Vault in each subscription (e.g. development and production), and import each certificate into the vault corresponding to its environment (e.g. the “analyticsdev” certificate should be imported into the development Key Vault).